Linux Analysis Report
7NoSwE5r4C.elf

ID:	1428257
Product:	CloudBasic
Start time:	18:29:10
Start date:	18.04.2024
Sample:	7NoSwE5r4C.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	e7c6bf75f4dc4a49bbab55fa7d0cc3c8
SHA1:	e2cab9d930479949b71eb4e7e619b137cbf43813
SHA256:	61c86757beb13fc92099432f0e2381114ddd1ef64911f74be02ac3265dd864ea
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/var/log/btmp	data	BDD04A55D064082423179A1845353646	85BCF926550C51B19820D07A00BCA7F63CC326E3	A96F75F8FB9A155157B517F8FE6C8233FD4C39651AEF8FAAB30D1E09E219DC23

AV Detection

Source: 7NoSwE5r4C.elf

ReversingLabs: Detection: 47%

Compliance

Source: unknown

HTTPS traffic detected: 54.247.62.1:443 -> 192.168.2.13:57212 version: TLS 1.2

Networking

Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: 7NoSwE5r4C.elf

String found in binary or memory: http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qpadding bytes must all be zeros unless AllowIllegalWrites is enabledreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)tls: handshake message of length %d bytes exceeds maximum of %d bytestls: peer doesn't support the certificate custom signature algorithmsbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xgot %s for stream %d; expected CONTINUATION following %s for stream %dx509: PKCS#8 wrapping contained private key with unknown algorithm: %vx509: certificate relies on legacy Common Name field, use SANs insteadMozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)Sogou Pic Spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)dynamic table size update MUST occur at the beginning of a header blockssh: no common algorithm for %s; client offered: %v, server offered: %vtls: peer doesn't support any of the certificate's signature algorithmstoo many concurrent operations on a single file or socket (max 1048575)x509: issuer has name constraints but leaf doesn't have a SAN extensionMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)tls: server's certificate contains an unsupported type of public key: %Ttls: received unexpected handshake message of type %T when waiting for %T91289437fa036b34da55d57af6192768c27bd433fa012169d626d934e0051b24dd67dd3cf49d7cc827bc012d259d7ac226e70829239d7ac226e7082968de60d520eb433722c07fd236f6crypto/elliptic: internal error: Unmarshal rejected a valid point encodingmalformed response from server: malformed non-numeric status pseudo headernet/http: server replied with more than declared Content-Length; truncatedtls: certificate RSA key size too small for supported signature algorithmsUnsolicited response received on idle HTTP channel starting with %q; err=%vtls: internal error: attempted to read record with pending application datatls: failed to send closeNotify alert (but connection was closed anyway): %wtls: server certificate contains incorrect key type for selected ciphersuite((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}MapIter.Next called on an iterator that does not have an associated map Valuecrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: internal error: algorithmSignerWrapper invoked with non-default algorithmssh: unable to authenticate, attempted methods %v, no supported methods remainx509: signature check attempt

Source: 7NoSwE5r4C.elf

String found in binary or memory: http: RoundTripper implementation (%T) returned a nil *Response with a nil errortls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificaterefusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxyx509: a root or intermediate certificate is not authorized to sign for this name: (possibly because of %q while trying to verify candidate authority certificate %q)Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)x509: issuer has name constraints but leaf contains unknown or unconstrained name: tls: downgrade attempt detected, possibly due to a MitM attack or a broken middleboxx509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Value.Interface: cannot return value obtained from unexported field or methodx509: failed to parse private key (use ParseECPrivateKey instead for this key format)Mozilla/5.0 (compatible; YoudaoBot/1.0; http://www.youdao.com/help/webmaster/spider/;)reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)x509: a root or intermediate certificate is not authorized for an extended key usage: fxfzUc6gtMGc/i26ld3KydGKy1k7QqyMMyxjbU1Rlk+F9LQxnaTeCHGHsDUpaBeOWDeY6l+2kHlB7EWTLcGwfg==whv+Kf1cEtOXzr+zuvmef2as0WfbUDm8l2LMWBMel10NDnbShg9CsMUt327VJhOTbXLoPYJVTKy8MBPCVwoT8A==x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%qapplication/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5tls: handshake hash for a client certificate requested after discarding the handshake buffertls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefhttp: RoundTripper implementation (%T) returned a *Response with content length %d but a nil BodyNoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher: the nonce can't have zero length, or the security of the key will be immediately compromised1920<<RMS>> equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: daisy.ubuntu.com

Source: 7NoSwE5r4C.elf	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)x509:
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://search.msn.com/msnbot.htm
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)Mozilla/5.0
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)http2:
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://www.google.com/mobile/adsbot.html)
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://www.youdao.com/help/webmaster/spider/;)reflect:
Source: 7NoSwE5r4C.elf	String found in binary or memory: http://yandex.com/bots)http:
Source: 7NoSwE5r4C.elf	String found in binary or memory: https://search.yahoo.com/search?p=illegal
Source: 7NoSwE5r4C.elf	String found in binary or memory: https://www.baidu.com/s?wd=insufficient
Source: 7NoSwE5r4C.elf	String found in binary or memory: https://www.so.com/s?q=index

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57212
Source: unknown	Network traffic detected: HTTP traffic on port 57212 -> 443

Source: unknown

HTTPS traffic detected: 54.247.62.1:443 -> 192.168.2.13:57212 version: TLS 1.2

System Summary

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.linELF@0/2@2/0

Source: ELF file section

Submission: 7NoSwE5r4C.elf

Persistence and Installation Behavior

Source: /usr/bin/dash (PID: 5471)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.F82KsbkOqd /tmp/tmp.CS6O9EWm79 /tmp/tmp.vYYyKkEtJ5			Jump to behavior
Source: /usr/bin/dash (PID: 5480)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.F82KsbkOqd /tmp/tmp.CS6O9EWm79 /tmp/tmp.vYYyKkEtJ5			Jump to behavior

Malware Analysis System Evasion

Source: /tmp/7NoSwE5r4C.elf (PID: 5429)

Queries kernel information via 'uname':

Jump to behavior

Source: 7NoSwE5r4C.elf, 5429.1.00007ffcddfa5000.00007ffcddfc6000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips64el
Source: 7NoSwE5r4C.elf, 5429.1.00007ffcddfa5000.00007ffcddfc6000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips64el/tmp/7NoSwE5r4C.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/7NoSwE5r4C.elf
Source: 7NoSwE5r4C.elf, 5429.1.000055ff4c41f000.000055ff4c4a5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips64el
Source: 7NoSwE5r4C.elf, 5429.1.000055ff4c41f000.000055ff4c4a5000.rw-.sdmp	Binary or memory string: U1MIPS64R2-generic-mips64-cpu1/etc/qemu-binfmt/mips64elu

Stealing of Sensitive Information

Source: Yara match

File source: 7NoSwE5r4C.elf, type: SAMPLE

Remote Access Functionality

Source: Yara match

File source: 7NoSwE5r4C.elf, type: SAMPLE